User login

Excuses for not doing the easy security

Wed, 01/23/2008 - 22:25 — Daniel Owen

For as long as I would say that I truly understood computer security I have believed that security in depth is one of the most important elements of security. Coming from this perspective I often find it interesting how many relatively easy elements are not implemented by practitioners. Some of these are the same practitioners that will go to extraordinary lengths in other areas to secure their systems.

The case in point that inspired this is a column written by Bruce Schneier titled Steal This Wi-Fi. A common example I'm sure we all know is the person that doesn't run AV software because they don't need it since they are careful. I will look at these examples and argue that they are short sighted and probably dangerous.

In first example, Schneier argues that since he secures his machines he does not need to secure his wireless. He further argues that since he often travels connecting to networks such as airports and hotels that are potentially more hostile than his home network will ever be. Schneier's final argument is that he considers it nice to offer free wireless to his neighbors. Both of the first two arguments are probably true but for the few minutes that it would take to turn on WPA and configure your wireless clients you gain a level of security. However small the incremental security increase might be it is still an incremental increase for very little effort. That is kind of the definition of defense in depth. No single security change may protect you completely but as a combination you are safer than you were before. Schneier's final argument does have some merit but as he admits it comes with the added risk of potentially having a bad actor use your Internet connection for nefarious purposes. This could in turn lead to your being investigated for a crime or having your Internet contract canceled for abuse. Personally I don't see the little bit of warm and fuzzy feeling to be worth the possible downside. That is ultimately a personal decision.

There are also issue with numerous other ways that general web surfing can lead to compromise. For example mistyping a URL may lead to a malicious web site as was found by The Honeynet Project in their paper Know Your Enemy: Malicious Web Servers AV software is relatively cheap and can actually be free for use by individuals. In the old days AV could be a real resource hog but in today's world of cheap systems with fast processors and a lot of memory this is a thing of the past. If your AV software is keeping your system from running reasonably fast you either have a problem with your system or it is upgrade time.

There are a number of other similar arguments for not doing this or that practice to improve security. The arguments almost always come down to convenience or time and I'm all for looking at the advantages and disadvantages of a given security practice. If it's going to add a tiny amount of security but increases your complexity or build time substantially by all means skip it. On the other hand if you have something that has a small increase in security but also has a small amount of added complexity and implementation time add it. Several small security improvements add up to a real overall improvement. In some cases the small things can add up to be more important than the big flashy improvement by itself.

I'll end this with something that will help to improve security with minimal additional effort and complexity. When setting up processes that have to run under an account create a new user and give it just the amount of access it needs. This is fairly common in the Linux/UNIX world but seems to be forgotten by Windows admins who like running things under their own login accounts. In some cases the access needed may be admin access but a service account still allows you to easily change admin logins passwords or disable accounts without having to worry about breaking processes running under that account. You may also be able to further limit the account even if it is a member of the administrators group. If the account is going to be used to run a scheduled task the password usually doesn't even have to be documented. Simply create a long random password and enter it when creating the account and when creating the scheduled task and then forget it. If you ever need to change the task you can reset the user account password to a new random password and use that one to update your task. This simple step might save you from a compromise. At a minimum it should make administration of your systems easier in the long run.

One of my sites was hacked recently and it took a day to clear up. A site hack could big a company to ist Kees withous good backups. I wonder how many Trojans could be lurking out there for cyber terrorism. The I love you virus went global in 24 hours. I am sure there are sleeping attacking progrms out there right now.